[821] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Symlinks as holes (Was: Big security hole in kerneld's request_route)

daemon@ATHENA.MIT.EDU (Craig Woodward)
Mon Jun 17 11:47:28 1996

From: woody@mail.csh.rit.edu (Craig Woodward)
Date: Mon, 17 Jun 1996 10:35:54 -0400
To: Mark Whitis <whitis@dbd.com>, ichudov@algebra.com
Cc: linux-security@tarsier.cv.nrao.edu

>On Wed, 12 Jun 1996 ichudov@algebra.com wrote:
>
>> you $ ln -s /etc/passwd /tmp/request-route
>> you$ ping 204.251.80.30
>
>Given that we have had multiple reports of security holes related
>to symbolic links in publicly writeable directories, it might
>be time to consider a kernel patch which would allow us to set
>a flag on a directory which:
>   - prevents creation of symbolic links (except, perhaps,
>     to files which already exist and are owned by the
>     owner of the link) except by root or some specified
>     group.
>   - propagates to all directories created under that directory.
>
>Another method would be to create a mount option "nosymlinks", similar
>to "nosuid", and put your publicly writeable filesystems there.

	While I would love to have the ACL method work under Linux,
I'm not holding my breath.  I love ACLs under VMS (about the only thing
I love about it...), but don't think Linux will have it any time soon.

	My soultion to the symbolic link mess was to hack the xiafs
driver (as a module) to no have the capacity to sym-link.  Then I
mount one small partition as xiafs, under /secure, and symlink things
I want in that arena into /secure (ie /tmp is a link to /secure/tmp).
This defeats about 90% of the sym-link bugs.  Race condition bugs
are still there, but at least this fixes most of them.
								-Woody

home help back first fref pref prev next nref lref last post